0

I need a help to encrypt passwords that passes to my demo registration form.

This is my execute.php in form action

<?php
session_start();
include('db.php');
$username=$_POST['username'];

$result  =  mysqli_query($db,"SELECT  *  FROM  member  WHERE  
username='$username'");
$num_rows  =  mysqli_num_rows($result);

if  ($num_rows)  {
header("location:  register.php?remarks=failed");
}
else
{

$date = date("Y-m-d");
$fullname= $_POST['fullname'];
$username=$_POST['username'];
$password=$_POST['password'];
mysqli_query($db,"INSERT  INTO  member(date, fullname, username, password)VALUES('$date', '$fullname',         
'$username','$password',)");
header("location:  register.php?remarks=success");
}
?>

And this is my registercheck.php include 

<?php

session_start();

include("db.php");
if($_SERVER["REQUEST_METHOD"]  ==  "POST")
{
$username=mysqli_real_escape_string($db,$_POST['username']);
$password=mysqli_real_escape_string($db,$_POST['password']);
$result  =  mysqli_query($db,"SELECT  *  FROM  member");
$c_rows  =  mysqli_num_rows($result);
if  ($c_rows!=$username)  {
header("location:  index?remark_login=failed");
}

$sql="SELECT  mem_id  FROM  member  WHERE  username='$username' and password='$password'";
$result=mysqli_query($db,$sql);
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$active=$row['active'];
$count=mysqli_num_rows($result);
if($count==1)
{
$_SESSION['login_user']=$username;
header("location:  profile");
}
}
?>

I dont know what to do guys. Please help me. Any comment will be appreciated very big Thanks.

Justine Noob
  • 11
  • 3
  • 3
    `md5(..)` is not secure. Use `password_hash(..)` instead. – Karlo Kokkak May 22 '18 at 10:56
  • 3
    From PHPs [md5 manual](https://secure.php.net/manual/en/function.md5.php): "_Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See the Password Hashing FAQ for details and best practices._" – brombeer May 22 '18 at 10:57
  • do $password=md5($_POST['password']); – Jalpesh Patel May 22 '18 at 11:00
  • 4
    Possible duplicate of [Secure hash and salt for PHP passwords](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – MikeS159 May 22 '18 at 11:03

1 Answers1

3

You wouldn't. MD5 is not secure enough for a password. It's very fast and highly frowned upon.
Instead, you would opt to use password_hash and password_verify
The man pages do a great job of explaining how to use them.

First you would store the contents of password_hash to your database (during registration).

$password=password_hash($_POST['password'], PASSWORD_DEFAULT);

To check if a password matches (for when you are performing a login check) you would first SELECT the password from the database and use password_verify 

if(password_verify($_POST['password'], $row['password'])){
     //password matches
}
IsThisJavascript
  • 1,726
  • 2
  • 16
  • 25